[PATCH v2] nvmet: Avoid potential UAF in nvmet_req_complete()
Chaitanya Kulkarni
chaitanyak at nvidia.com
Sun Mar 5 21:04:19 PST 2023
On 3/5/2023 5:13 PM, Damien Le Moal wrote:
> An nvme target ->queue_response() operation implementation may free the
> request passed as argument. Such implementation potentially could result
> in a use after free of the request pointer when percpu_ref_put() is
> called in nvmet_req_complete().
>
> Avoid such problem by using a local variable to save the sq pointer
> before calling __nvmet_req_complete(), thus avoiding dereferencing the
> req pointer after that function call.
>
> Fixes: a07b4970f464 ("nvmet: add a generic NVMe target")
> Cc: stable at vger.kernel.org
> Signed-off-by: Damien Le Moal <damien.lemoal at opensource.wdc.com>
> ---
>
Looks good.
Reviewed-by: Chaitanya Kulkarni <kch at nvidia.com>
-ck
More information about the Linux-nvme
mailing list